Opinion: Will either candidate protect your data? It's time to ask

September 28, 2016
—It's time for the presidential candidates to start talking about privacy, and specifically about data protection.

Firstly, the scope of the recent Yahoo data breach was unprecedented. More than 500 million user accounts were compromised. Yahoo said that the "account information may have included names, email addresses, telephone numbers, and dates of birth."

Yahoo assured users that passwords and security questions and answers were encrypted. But the company is also urging users to change their password and security questions and to review their accounts for suspicious activity.

The Yahoo data breach may be the largest of all time, but it is hardly the first. Over the last several years, the scope of data breaches in the US has increased and the rate of occurrences has accelerated.

This was not hard to predict. When I testified before the Congress in 2011, following a string of attacks against US businesses and financial institutions, I warned that the data breach problem would grow worse. I explained that as consumers and businesses became dependent on cloud-based services they would be less likely to know when problems occur than if they were to lose a laptop or experience a break-in.

We urged Congress and the administration to pass comprehensive privacy legislation and to back Privacy Enhancing Techniques that would minimize or eliminate the collection of personally identifiable information.

In 2012, the administration announced a solid proposal for data protection called the Consumer Privacy Bill of Rights. President Obama also spoke in support of Student Privacy legislation that would prevent the use of educational records for commercial proposes. But the White House has shown little interest in pushing these initiatives, focusing instead on plans for drones and driverless vehicles that will create new privacy risks. And Congress has been unwilling to support new privacy initiatives, even blocking a modest effort at the Federal Communications Commission to limit consumer profiling.

Follow Passcode!

Cybersecurity news and analysis delivered straight to your inbox.

Then in 2015, the Office of Management and Budget acknowledged the most extensive hack of a government records system. The personal information of more than 22 million federal employees, their friends, and family members was breached. This included more the 5 million digitized fingerprint, unique biometric identifiers, and the contents of the confidential SF-86 form, which provides tremendous detail on the personal lives of applicants for sensitive government jobs.

Earlier this year, the Federal Trade Commission reported that almost 500,000 Americans reported identify theft, an increase of 47 percent over the previous year, and the highest number since the agency began keeping this statistic.

Policymakers are well aware of the cybersecurity threat – it even came up during the first presidential debate – but few view the problem through the lens of data protection, which could actually place limits on the personal information businesses and government agencies collect. The result is that data collection continues, and companies and law enforcement agencies are reluctant to tell users when their personal information is compromised. At best data breach laws tell consumers there is a problem.

The current path is not sustainable. Even businesses that oppose government regulation must see that data breaches pose a direct threat to consumer trust and the US economy. Verizon, which planned to pay almost $5 billion to acquire Yahoo, must be asking how to value a company that exposed hundreds of millions of its users to increased risk of identity theft and financial fraud. The potential liability is staggering.

The public knows there is a problem. A recent survey by the Pew Research Center shows support for stronger privacy laws in the US. Pew found that "68 percent of internet users believe current laws are not good enough in protecting people’s privacy online."

Americans also favor limits on how long their personal information is stored. And contrary to the conventional wisdom, Pew found that "young adults are more focused than elders when it comes to online privacy."

Many young people try to protect their privacy online, remove their names from tagged photos, and take steps to mask their identity. They use messaging services with strong cryptography. According to Pew, 74 percent of all Americans say it is "very important" to be in control of their personal information.

In this election year, we have heard a lot from the candidates about the privacy of their email, their tax records, and their health care records. But none of the candidates have save a word about the need for a national strategy on data protection. That must change.

The moderators for the next presidential debate need to ask the candidates about data protection. This may be the most important least well-understood issue of this election. Here are a few suggestions:

"Have you or a family member ever experienced identity theft or a data breach?"

"How do you view the current administration’s efforts to safeguard privacy?"

"What steps would you take to protect the personal information of Americans?"

"Would you back comprehensive privacy legislation?"

"Should the US create a data protection agency?”

"If you are elected president, will Americans continue to experience data breaches similar to the recent Yahoo breach?"